Search for a Bill

Leahy Introduces Benchmark Bill To Update Key Digital Privacy Law

May 17, 2011

WASHINGTON (Tuesday, May 17, 2011) – Senator Patrick Leahy (D-Vt.) Tuesday introduced anticipated legislation to update the Electronic Communications Privacy Act (ECPA), one of the nation’s premier digital privacy laws. Leahy was the lead author of the 1986 law, which was enacted to protect the privacy of Americans’ electronic communications.

The Electronic Communications Privacy Act (ECPA) Amendments Act will make commonsense changes to existing law to improve privacy protections for consumers’ electronic communications and to clarify the legal standards for the government to obtain this information. The legislation includes enhanced privacy protections for the content of Americans’ email and other electronic communications, which would be subject to a search warrant requirement based on probable cause. The bill also includes new privacy protections for Americans’ location information that is collected, used or stored by service providers, smartphones and other mobile technologies.

“Since the Electronic Communications Privacy Act was first enacted in 1986, ECPA has been one of our nation’s premiere privacy laws,” said Leahy. “But, today, this law is significantly outdated and out-paced by rapid changes in technology and the changing mission of our law enforcement agencies after September 11. Updating this law to reflect the realities of our time is essential to ensuring that our federal privacy laws keep pace with new technologies and the new threats to our security.”

The Leahy-authored bill also includes a provision to enhance the cybersecurity of U.S. computer networks, by allowing service providers to voluntarily disclose content to the government that is pertinent to addressing a cyber-attack involving their computer network. This provision includes important reporting requirements to protect privacy and civil liberties. The bill also improves law enforcement tools, including a provision to allow the government to temporarily delay notification of its access of stored electronic communications, if notification would endanger national security.

“The balanced reforms in this bill will help ensure that our federal privacy laws address the many dangers to personal privacy posed by the rapid advances in electronic communications technologies. Accomplishing this challenging task will not be easy. But, with the introduction of the Electronic Communications Privacy Act Amendments Act of 2011, we take a significant step towards this very important goal,” Leahy said.

While portions of the Electronic Communications Privacy Act have been amended, Congress has not enacted comprehensive reforms since the law was enacted in 1986. Advancements in communication technologies, including smartphones and social networking sites, have outpaced the privacy protections included in the law. The Leahy-authored ECPA Amendments Act will fill gaps in existing law and update the law to reflect how American consumers and businesses, and federal, state and local law enforcement utilize electronic communications technologies today.

Leahy is the Chairman of the Senate Judiciary Committee, which held hearings in September 2010 and April 2011 to explore how best to reform ECPA.

The bill is entitled the Electronic Communications Privacy Act Amendments of 2011.

ENHANCED PROTECTIONS FOR CONSUMER PRIVACY

SECTION 2 – PROHIBITION ON VOLUNTARY DISCLOSURE OF CONTENT.

Section 2 amends Section 2702 of ECPA to prohibit an electronic communications, remote computing, or geolocation information service provider from voluntarily disclosing the contents of its customer’s email or other electronic communications to the government. There are limited exceptions to this prohibition under current law, including, customer consent and disclosure to law enforcement to address criminal activity.

Content – Section 3 amends ECPA so that the disclosure of the content of email and other electronic communications by an electronic communications, remote computing, or geolocation information service provider to the government is subject to one legal standard -- a search warrant issued based on a showing of probable cause. The provision eliminates the outdated 180-day rule that currently requires varying legal standards for the government to obtain email content, depending upon the age of the email. The provision also requires that the government notify the individual whose account was disclosed, and provide that individual with a copy of the search warrant and other details about the information obtained, within three days. (ECPA permits the government to access content that is publicly available, such as remarks posted on a blog or a public website.)

Records– Section 3 also amends ECPA to clarify that the government may use an administrative or grand jury subpoena in order to obtain certain kinds of electronic communication records from an electronic communications service provider, including customer name, address, session time records, length of service information, subscriber number and temporarily assigned network address, and means and source of payment information.

Location Information Service Providers– Lastly, Section 3 amends ECPA to clarify that geolocation information service providers are covered by the requirements in Section 2703. The section also makes several technical amendments to Section 2703 of ECPA.

NEW LAW ENFORCEMENT TOOLS

SECTION 4 – DELAYED NOTICE.

Delayed Notice Government– Section 4 amends section 2705 of ECPA to provide that the government may seek a court order to delay notifying an individual of that fact that the government has accessed the contents of their electronic communications for up to 90 days. This delay period may be extended for a period of up to an additional 90 days at a time by a court. Once notice is provide, Section 4 also requires that the government provide the individual with a copy of the search warrant.

National Security– Section 4 also adds a new provision that would allow the government to delay providing notice if doing so would endanger national security. To reduce the costs associated with providing notice, this section also allows the government to provide notice by email, or other effective means.

Delayed Notice Providers– Lastly, Section 4 establishes a 90-day time limit on the period that the government could prevent a service provider from informing its customer about the disclosure of electronic communications information to the government. This time period may be extended by a court for up to an additional 90 days at a time.

PROTECTING CONSUMERS’ LOCATION PRIVACY

SECTION 5 – LOCATION INFORMATION PRIVACY

Warrant Requirement– Section 5 would update ECPA to establish new privacy protections for geolocation information collected, stored or used by mobile devices and mobile applications, such as smartphones and tablets. This provision also clarifies the legal standards for when the government can obtain location information from these and other kinds of electronic communications devices. Specifically, the provision requires that the government obtain either a search warrant or a court order under the Foreign Intelligence Surveillance Act, to access or use an individual’s smartphone or other electronic communications device to obtain geolocation information.

Law Enforcement Exception – Section 5 also establishes a law enforcement exception to the warrant requirement that would apply when the Attorney General or certain other specified senior law enforcement officials designate a law enforcement officer to obtain geolocation information during an emergency involving either, imminent danger, organized crime, or an immediate threat to national security. The government must still obtain a search warrant for the geolocation information within 48 hours, or a court may suppress the evidence obtained or derived from this information in a legal proceeding.

Consent and Emergency Services Exceptions– The provision also includes exceptions to the warrant requirement when there is user consent or a call for emergency services.

Required Disclosure of Real-Time Information – Section 6 would amend ECPA to require that the government obtain a search warrant in order to obtain contemporaneous (real-time) geolocation information from an electronic communications, remote computing, or geolocation information service provider. There is an exception to the warrant requirement for emergency calls for service.

Required Disclosure of Historical Information – Section 6 would also amend ECPA to require that the government obtain either a search warrant, or court order to obtain historical geolocation information from an electronic communications, remote computing, or geolocation information service provider. This provision codifies the government’s current practice for obtaining this kind of location information.

ENHANCING CYBERSECURITY AND NATIONAL SECURITY

SECTION 7 – VOLUNTARY DISCLOSURE TO ENHANCE CYBERSECURITY.

Cybersecurity Exception– Section 7 amends Sections 2702 (b)(5) and (c )(3) of ECPA to permit a provider to voluntarily disclose content that is pertinent to addressing a cyberattack involving their computer network to either the government or to a third-party.

Reporting to Congress– The provision also requires that the Attorney General and the Secretary of Homeland Security submit an annual report to Congress detailing the number of accounts from which either the Department of Justice or Department of Homeland Security received voluntary disclosures under the cybersecurity exception. The provision also requires that the Attorney General provide information about the number of voluntary disclosures under the cybersecurity exception made to the Department that did not result in the filing of criminal charges.

SECTION 8 – ELECTRONIC COMMUNICATIONS IDENTIFIABLE INFORMATION.

Section 8 amends Section 2709(a) of ECPA to clarify the kinds of subscriber electronic communications records that the Federal Bureau of Investigations may obtain from a provider for counterintelligence purposes. The following records are subject to the new provision: name; address; session time and duration; length of service and types of service; telephone or instrument number, or identity; and dialing, routing, addressing and signaling information.

Today, I am pleased to introduce the Electronic Communications Privacy Act Amendments Act of 2011 -- a bill to bring our Federal electronic privacy laws into the digital age. Since the Electronic Communications Privacy Act (ECPA) was first enacted in 1986, the ECPA has been one of our Nation’s premiere privacy laws. But, today, this law is significantly outdated and out-paced by rapid changes in technology and the changing mission of our law enforcement agencies after September 11.

In the digital age, American consumers and businesses face threats to privacy like no time in history. With the explosion of new technologies, including social networking sites, smartphones and other mobile applications, there are many new benefits to consumers. But, there are also many new risks to their privacy.

Just in the past few weeks, we have witnessed significant data breaches involving Sony and Epsilon that impact the privacy of millions of American consumers. We are also learning that smartphones and other new mobile technologies may be using and storing our location and other sensitive information posing other new risks to privacy.

When I led the effort to write the ECPA 25 years ago, no one could have contemplated these and other emerging threats to our digital privacy. Updating this law to reflect the realities of our time is essential to ensuring that our Federal privacy laws keep pace with new technologies and the new threats to our security.

New Privacy Protections for American Consumers

This bill takes several steps to protect Americans’ privacy in the digital age. First, the bill makes common sense changes to the law regarding the privacy protections afforded to consumers’ electronic communications. Under the current law, a single email could be subject to as many a four different levels of privacy protections, depending upon where it is stored and when it was sent. The bill gets rid of the so-called “180-day rule” and replaces this confusing mosaic with one clear legal standard for the protection of the content of emails and other electronic communications. Under my bill, service providers are expressly prohibited from disclosing customer content and the government must obtain a search warrant, based on probable cause, to compel a service provider to disclose the content of a customer’s electronic communications to the government.

This bill also provides important new consumer privacy protections for location information that is collected, used, or stored by service providers, smartphones, or other mobile technologies. To protect consumer privacy, my bill requires that the government obtain either a search warrant, or a court order under the Foreign Intelligence Surveillance Act, in order to access or use an individual’s smartphone or other electronic communications device to obtain geolocation information. There are well-balanced exceptions to the warrant requirement if the government needs to obtain location information to address an immediate threat to safety or national security, or when there is user consent or a call for emergency services. The billalso requires that the government obtain a search warrant in order to obtain contemporaneous (real-time) location information from a provider. There is an exception to the warrant requirement for emergency calls for service.

Strengthening Law Enforcement Tools

To address the role of new technologies in the changing mission of law enforcement, the bill also provides important new tools to law enforcement to fight crime and keep us safe. The bill clarifies the authority under the ECPA for the government to temporarily delay notifying an individual of that fact that the government has accessed the contents of their electronic communications, to protect the integrity of a government investigation. The bill also gives new authority to the government to delay notification in order to protect national security.

Enhancing Cybersecurity and National Security

Lastly, the ECPA Amendments Act strengthens the tools available in ECPA to protect our national security and the security of our computer networks. The legislationcreates a new limited exception to the nondisclosure requirements under the ECPA, so thata service provider can voluntarily disclose content to the government that is pertinent to addressing a cyberattack. To protect privacy and civil liberties, the bill also requires that, among other things, the Attorney General and the Secretary of Homeland Security submit an annual report to Congress detailing the number of accounts from which their departments received voluntary disclosures under this new cybersecurity exception.

In addition, the bill clarifiesthe kinds of subscriber records that the Federal Bureau of Investigations may obtain from a provider in connection with a counterintelligence investigation. This reform will help to make the process for obtaining this information more certain and efficient for both the government and providers.

I drafted this bill with one key principle in mind -- that updates to the Electronic Communication Privacy Act must carefully balance the interests and needs of consumers, law enforcement, and our nation’s thriving technology sector. I also drafted this bill in careful consultation with many government and private sector stakeholders, including the Departments of Justice and Commerce, State and local law enforcement, and members of the technology and privacy communities.

I thank the Digital Due Process Coalition and the many other stakeholders who support this bill. I also thank the Departments of Commerce and Justice for their guidance on how the ECPA impacts the needs of our law enforcement community and our national economy. I look forward to continuing to work with all of these stakeholders as this bill moves forward.

Two decades before Congress first enacted the Electronic Communications Privacy Act, Chief Justice Earl Warren wisely opined that “the fantastic advances in the field of electronic communications constitute a greater danger to the privacy of the individual.” This aptly describes the state of our digital privacy rights today. The balanced reforms in this bill will help ensure that our Federal privacy laws address the many dangers to personal privacy posed by the rapid advances in electronic communications technologies. Accomplishing this challenging task will not be easy. But, with the introduction of the Electronic Communications Privacy Act Amendments Act of 2011, wetake a significant step towards this very important goal.

I ask that the full text of the bill be printed in the Record immediately following my remarks.